Singapore CSA warns of maximun severity SmarterMail RCE flaw

AndyC 1 January 2026

Singapore CSA warns of maximun severity SmarterMail RCE flaw

Singapore CSA warns of maximun severity SmarterMail RCE flaw

Singapore CSA warns of maximun severity SmarterMail RCE flaw

Singapore CSA warns of maximun severity SmarterMail RCE flaw

Pierluigi Paganini
December 31, 2025

Singapore’s CSA warns of CVE-2025-52691, a critical SmarterMail flaw enabling unauthenticated remote code execution via arbitrary file upload.

Singapore’s Cyber Security Agency of Singapore (CSA) warns of a maximum severity flaw, tracked as CVE-2025-52691 (CVSS score of 10.0), in SmarterMail. The vulnerability enables unauthenticated remote code execution via arbitrary file upload.

“Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.” reads CSA’s advisory.

SmarterMail is a commercial email server software developed by SmarterTools.
It’s used by businesses, hosting providers, and ISPs to run their own mail servers instead of relying on cloud services like Microsoft 365 or Google Workspace.

The vulnerability impacts SmarterMail versions Build 9406 and earlier, CSA recommends users and administrators of affected product versions to update to SmarterMail version Build 9413 immediately.

Mr Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) responsibly disclosed the vulnerability.

At this time, it is unclear if the flaw is being exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CSA)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

ESA disclosed a data breach, hackers breached external servers

ESA disclosed a data breach, hackers breached external servers

AndyC 1 January 2026
Top Data Breaches of December 2025

MongoBleed (CVE-2025-14847): the US, China, and the EU are among the top exploited GEOs

AndyC 1 January 2026
Coupang announces .17B compensation plan for 33.7M data breach victims

Coupang announces $1.17B compensation plan for 33.7M data breach victims

AndyC 31 December 2025
Mustang Panda deploys ToneShell via signed kernel-mode rootkit driver

Mustang Panda deploys ToneShell via signed kernel-mode rootkit driver

AndyC 31 December 2025
Lithuanian suspect arrested over KMSAuto malware that infected 2.8M systems

Lithuanian suspect arrested over KMSAuto malware that infected 2.8M systems

AndyC 31 December 2025
U.S. CISA adds a flaw in MongoDB Server to its Known Exploited Vulnerabilities catalog

U.S. CISA adds a flaw in MongoDB Server to its Known Exploited Vulnerabilities catalog

AndyC 31 December 2025

You may have missed

Blog-12-300x200-1.jpg

New Year Reset: A Quick Guide to Improving Your Digital Hygiene in 2026

AndyC 1 January 2026
ESA disclosed a data breach, hackers breached external servers

ESA disclosed a data breach, hackers breached external servers

AndyC 1 January 2026
Singapore CSA warns of maximun severity SmarterMail RCE flaw

Singapore CSA warns of maximun severity SmarterMail RCE flaw

AndyC 1 January 2026
Communicating AI Risk to the Board With Confidence | Kovrr

Communicating AI Risk to the Board With Confidence | Kovrr

AndyC 1 January 2026
Trust Wallet Chrome Extension Hack Drains .5M via Shai-Hulud Supply Chain Attack

Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack

AndyC 1 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.